f1tao/awesome-iot-security-resource

awesome iot exploit resource

Awesome iot security resource

Fundamental

• WHAT HAPPENS WHEN YOUR ROUTER IS HACKED?
• IoT Reverse Engineering
• Embedded Systems Security and TrustZone
• CH32V003 PROGRAMMING: HOW TO USE UART
• 物联网终端安全入门与实践之了解物联网终端 （上篇）
• 《物联网终端安全入门与实践之了解物联网终端》下
• 《物联网终端安全入门与实践之玩转物联网固件》上
• 物联网终端安全入门与实践之玩转物联网固件（中）
• 物联网终端安全入门与实践之玩转物联网固件（下）DIY篇
• 摄像头漏洞挖掘入门教程（固件篇）

Vulnerability Writeup

Cisco

• Cisco IOS XE CVE-2023-20198 and CVE-2023-20273: WebUI Internals, Patch Diffs, and Theory Crafting
• Cisco IOS XE CVE-2023-20198: Deep Dive and POC
• Analysis of Unauthenticated Command Execution Vulnerability in Cisco IOS XE System WebUI
• Cisco RV130 – It’s 2019, but yet: strcpy
• Exploiting CVE-2019-1663
• Breaking Cisco RV110W, RV130, RV130W, and RV215W. Again.
• Ghetto Patch Diffing a Cisco RV110W Firmware Update
• Patch Diffing a Cisco RV110W Firmware Update (Part II)
• Cisco RV340 SSL VPN Unauthenticated Remote Code Execution as root

Citrix

• Reversing Citrix Gateway for XSS
• Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway
• Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway (Part 2)
• CVE-2023-3519

F5 BIG-IP

• CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures
• CVE-2023-22374: F5 BIG-IP Format String Vulnerability
• Refresh: Compromising F5 BIG-IP With Request Smuggling | CVE-2023-46747

Fortigate

• Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN
• Producing a POC for CVE-2022-42475 (Fortinet RCE)
• CVE-2022-42475
• Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was
• XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)
• HEXACON2023 - XORtigate: zero-effort, zero-expense, 0-day on Fortinet SSL VPN by Charles Fol
• CVE-2023-27997-FortiGate-SSLVPN-HeapOverflow
• Breaking Fortinet Firmware Encryption
• Building an Exploit for FortiGate Vulnerability CVE-2023-27997
• Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762

Pulse Secure

• Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!

Palo Alto

• Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!

Juniper

• CVE-2023-36844 And Friends: RCE In Juniper Devices
• Fileless Remote Code Execution on Juniper Firewalls

SonicWall

• 一种 SonicWall nsv 虚拟机的解包方法
• Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall
• It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable

VxWroks

• Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346)

MikroTik

• Pulling MikroTik into the Limelight

ASUS

• Hunting for Unauthenticated n-days in Asus Routers

Netgear

• CVE-2021-33514：Netgear 多款交换机命令注入漏洞
• Feral Terror vulnerability (some NETGEAR smart switches UPDATED 3
• Seventh Inferno vulnerability (some NETGEAR smart switches)
• Draconian Fear vulnerability (some NETGEAR smart switches)
• COOL VULNS DON'T LIVE LONG - NETGEAR AND PWN2OWN
• PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749
• Puckungfu: A NETGEAR WAN Command Injection
• CVE-2022-27643 - NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability
• nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861)
• NETGEAR NIGHTHAWK R7000P UPNPD BUFFER OVERFLOW REMOTE CODE EXECUTION VULNERABILITY
• Reverse Engineering a Netgear Nday
• Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Router
• NETGEAR NIGHTHAWK R7000P AWS_JSON UNAUTHENTICATED DOUBLE STACK OVERFLOW VULNERABILITY
• Our Pwn2Own journey against time and randomness (part 1)
• Our Pwn2Own journey against time and randomness (part 2)
• Pwn2Own Toronto 22: Exploit Netgear Nighthawk RAX30 Routers
• NetGear 夜鹰 RAX40V2 设备与固件分析

Zyxel

• Zyxel firmware extraction and password analysis
• Multiple vulnerabilities in Zyxel zysh
• Zyxel authentication bypass patch analysis (CVE-2022-0342)
• Useless path traversals in Zyxel admin interface (CVE-2022-2030)

TOTOLINK

• TOTOLINK T10旧版本漏洞挖掘和分析
• TOTOLink T6路由器漏洞复现
• TOTOLINK NR1800X 系列 CVE 分析

Tenda

• Vulnerabilities in Tenda's W15Ev2 AC1200 Router
• Tenda AX12 路由器设备分析（一）
• Tenda AX12路由器设备分析（二）之UPnP协议
• Tenda AX12 路由器设备分析（三）之OpenWrt 浅析

GL.iNET

• Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router

Vigor

• draytek漏洞分析
• DrayTek Vigor企业级路由器和交换机设备在野0-day 漏洞分析报告
• DrayTek Vigor 2960 从未授权到rce
• CVE-2020-8515 漏洞分析与利用
• Vigor2960漏洞复现（CVE-2020-14472）

TP-LINK

• When an N-Day turns into a 0day. (Part 1 of 2)
• Remote code execution as root from the local network on TP-Link SR20 routers
• TP-Link AC1750 (Pwn2Own 2019)
• EXPLOITING THE TP-LINK ARCHER A7 AT PWN2OWN TOKYO
• PWN2OWN TOKYO 2020: DEFEATING THE TP-LINK AC1750
• Exploiting n-day in Home Security Camera
• TP-Link IP43AN

D-Link

• THE ANATOMY OF A BUG DOOR: DISSECTING TWO D-LINK ROUTER AUTHENTICATION BYPASSES
• Debugging D-Link: Emulating firmware and hacking hardware
• D-Link DIR-816 A2路由器安全研究分享
• Reverse Engineering a D-Link Backdoor
• D-Link DAP-X1860: Remote Command Injection
• SSD ADVISORY – D-LINK DIR-X4860 SECURITY VULNERABILITIES

XiaoMI

• 实战逻辑漏洞：三个漏洞搞定一台路由器
• 【长亭HITCON演讲视频】如何从零开始攻破一台明星IoT设备
• Exploit (Almost) All Xiaomi Routers Using Logical Bugs
• 小米R3A和R4系列路由器远程命令执行漏洞（CVE-2019-18370，CVE-2019-18371）
• 关于我们在强网杯上小米路由器非预期解这件小事
• 强网杯 2021 线下 RW Mi Router
• Xiaomi AI Speaker Authenticated RCE I: Firmware Analysis
• Xiaomi AI Speaker Authenticated RCE II: How Does MICO OTA Update Work?
• Xiaomi AI Speaker Authenticated RCE III: CVE-2020-14096
• DEFCON 26-Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices
• I hacked MiBand 3, and here is how I did it. Part I
• I hacked MiBand 3, and here is how I did it Part II — Reverse Engineering to upload Firmware and Resources Over the Air
• Hack Routers, Get Toys: Exploiting the Mi Router 3
• Show Mi The Vulns: Exploiting Command Injection in Mi Router 3
• Xiaomi Wi-Fi Repeater Analysis — IoT Exploitation/Research
• Custom Firmware for the Xiaomi AX3600 Wireless Router
• 物联网设备消息总线机制的使用及安全问题
• Rooting Xiaomi WiFi Routers
• IoT Reverse Engineering

ConnectedIO

• The Path to the Cloud is Filled with Holes: Exploiting 4G Edge Routers

NAS

• A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition
• A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition
• Synology NAS DSM Account Takeover: When Random is not Secure

Camera

• HiSilicon DVR hack
• Exploiting: Buffer overflow in Xiongmai DVRs
• Hacking the Furbo Dog Camera: Part I
• Hacking the Furbo Dog Camera: Part II
• Hacking the Furbo Dog Camera: Part III Fun with Firmware
• Hacking a Tapo TC60 Camera
• Black Hat 2013 - Exploiting Network Surveillance Cameras Like a Hollywood Hacker

BootLoader

• Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
• [胖猴小玩闹] 智能门锁与网关番外二： 云丁鹿客门锁中bootloader和FreeRTOS的分析
• Breaking Secure Boot on the Silicon Labs Gecko platform

Printer

• Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
• Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
• DryOS PIXMA Printer Shell
• A Sheep in Wolf’s Clothing – Finding RCE in HP’s Printer Fleet
• FAXPLOIT: SENDING FAX BACK TO THE DARK AGES
• TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup
• Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I
• Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II
• 【hitcon2022】Your printer is not your printer ! - Hacking Printers at Pwn2Own

Car

• How I Hacked my Car
• How I Hacked my Car Part 2: Making a Backdoor
• How I Hacked my Car Part 3: Making Software
• NFC RELAY ATTACK ON TESLA MODEL Y
• 浅谈车机IVI漏洞挖掘
• 新型车机，如何攻防？
• Rooting Bosch lcn2kai Headunit
• APK逆向分析入门-以某车载音乐APP为例

Smart Speaker

• DEFCON-26-Breaking-Smart-Speakers
• SMART SPEAKER SHENANIGANS: MAKING THE SONOS ONE SING ITS SECRETS

MQTT Protocol

• From MQTT Fundamentals to CVE
• Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds
• The Fragility of Industrial IoT’s Data Backbone

Other

• Tetsuji: Remote Code Execution on a GameBoy Colour 22 Years Later
• Your not so "Home Office" - SOHO Hacking at Pwn2Own

Exploitation Method

Uninitialized Pointer Vulnerability

• When an N-Day turns into a 0day. (Part 1 of 2)

Heap Spray

• MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

BSS Overflow

• CVE-2022-27643 - NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability

Heap Overflow

• Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Router

Hardware Crack

• Exception(al) Failure - Breaking the STM32F1 Read-Out Protection
• Pwn the ESP32 crypto-core
• HARDWARE HACKING 101: IDENTIFYING AND DUMPING EMMC FLASH
• Extract Firmware from OT Devices for Vulnerability Research
• Methods for Extracting Firmware from OT Devices for Vulnerability Research
• Hacking Some More Secure USB Flash Drives (Part I)
• Hacking Some More Secure USB Flash Drives (Part II)
• Hardware Hacking to Bypass BIOS Passwords

Fault Injection

• Bypassing Secure Boot using Fault Injection
• KERNELFAULT: R00ting the Unexploitable using Hardware Fault Injection
• KERNELFAULT: Pwning Linux using Hardware Fault Injection
• HARDENING SECURE BOOT ON EMBEDDED DEVICES FOR HOSTILE ENVIRONMENTS

Firmware

Firmware Emulation

• Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device

Firmware Analysis

• IoT漏洞研究（一）固件基础
• OpenWRT中的Flash简析

Firmware Extraction

• MindShare: Dealing With Encrypted Router Firmware
• Zyxel firmware extraction and password analysis
• Reverse Engineering Yaesu FT-70D Firmware Encryption
• Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
• Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
• Breaking Fortinet Firmware Encryption
• Dumping Flash Content
• 智能设备漏洞挖掘之固件提取

Specification

• FastCGI Developer's Kit
• The Common Gateway Interface (CGI) Version 1.1

Tool

Firmware Emulation

• firmadyne

Firmware Extraction

• binwalk
• firmware-mod-kit
• unblob
• ofrak

Firmware Analysis

• firmwalker

• emba

• pyrrha

  A filesystem cartography and correlation software focusing on visualization.

• rbasefind

  A firmware base address search tool.

Debug Tool

• gdb-static-cross

  A simple shell script and two bash sourceable scripts used to build a static gdb-7.12 gdbserver using cross-compiler setups

• gdb-static

  Public repository of statically compiled GDB and GDBServer

Other

• bkcrack

• mips-binaries

  Various binaries for the mips architecture

Blog

• ONE KEY
• HN Security
• gynvael.coldwind//vx.log
• nccgroup
• HDW Sec
• River Loop Security
• Team82
• watchTowr Labs
• CataLpa
• NeroTeam Security Labs (NSLabs)
• Flashback Team